After reading about sqrl, the qr-based login system invented by Steve Gibson, I started to think about hashed password generators as a light-variant to sqrl.
What if you could have a password generator that always gives you the same output? Think about it. You use the generator that outputs the password of “1LKk23j!2323^dfD” to be used at facebook.com. One year later you forgot that password and you start the same password generator and it gives you the same password again. Great, huh?
In order for it to be secure we have a few requirements though:
- It needs to be unique per site. That is, I do not want to use the same password on facebook, twitter, amazon and instagram.
- It needs to be unique per user. I do not want to have the same facebook password as you have.
So, we take 2 inputs to the password generator:
- Something that is unique per site. The domain name or the site name or whatever. For simplicity say that you enter “facebook” for facebook, “twitter” for twitter and so on.
- Something that is unique per user. My super secret key. It might be the chassis number of my ex spouse brother´s first car, the first sentence in your favourite book or anything hat you will always remember (and write down, and store it securely!).
We also have to decide the length of the output passwords. I suggest something like 12 characters. It is long enough to not brute force.
I built the password generator as a simple bash script since I have already openssl installed. The script below will do this:
- ask for the site-specific parameter you want to create the password for (in our example ‘facebook)
- Ask for your super secret private password.
- Create a cryptocraphic hash digest of your site-specific password ‘facebook’ with your private key as a… eeeh… private key. 🙂
- Since the output is binary, all non-printable characters will be removed.
- The first 12 bytes of the string will be printed on the screen.
#!/bin/bash
export IFS=""
export LC_ALL=C
read -rp "site: " PARAMETER
read -rsp "common private key: " PASSWORD
echo "Password for site $PARAMETER:"
echo "$PARAMETER" \
| openssl dgst -sha512 -binary -hmac "$PASSWORD" \
| tr -cd '[:print:]' \
| cut -c1-12
echo
IANAC (I am not a cryptographer). Not at all. Am I doing this wrong? Can I enhance the security even further? If you have any input in the subject, please write a comment below!
As I wrote above, I did come up with the idea when reading about sqrl. And after googling around the interwebz I quickly realised that all good ideas are already had. The script above is a rip-off of the hashapass cli-version with some improvements. Since I am not using base64 but instead binary output I will get a password with more variety in characters (higher entropy). Also I raised the password length from 8 to 12 characters.